Linux Kernel PGP Trust Chain Crisis: The SHA-1 Retirement Fallout
2025-05-09
Linux kernel development relies on PGP signatures, requiring maintainers to submit signed pull requests to Linus Torvalds. Due to issues with keyservers, Konstantin Ryabitsev maintains a git repository of relevant keys. Removing SHA-1 signatures would leave 485 public keys without a trust path to Linus Torvalds, impacting many core developers. This threatens the kernel's development process, potentially excluding key contributors. A keysigning event at Embedded Recipes 2025 aims to rebuild the trust chain.
Read more
Development